Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sum of values and max (or last) value in the same query

piretro999
New Member
‎04-13-2018 07:17 AM

Hello I have to build up a query on Splunk, on wich I am a real newbie.
I have a sheet in wich every record contains a name, an event, some points related to the single event and a sum of the points that comes from all the previous events plus the present one.
E.G.
|Person |Action |Pt |Tot|
|John |"eats a pie" | 1 | 1|
|John |"does a jump" | 3| 4|
|John |"goes to bed" | 5| 9|
|Tim |"tells a lie" | 7| 11 |

The query should show should be something like this
|Person |Pt|Tot|
|John | 9| 9|
|Tim | 7| 11|

As a next step, if the two values does not match (like for Tim), then an alert is raised.
What query can I implement?
Thank you.
Paolo

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎04-13-2018 09:57 AM

hello there,
considering the Tot field values are accumulative and accurate you can try something like this maybe:
... your search ... | stats sum(Pt) as Points max(Tot) as accum_total by Person
then apply your alert rule either in search or while saving as an alert.
in search | where Point!=accum_total
in alert | search Point!=accum_total
hope it helps

0 Karma
Reply

somesoni2
Revered Legend
‎04-13-2018 09:47 AM

Try something like this

your base search which gives fields Person, Action Pt Tot
| stast sum(Pt) as Pt max(Tot) as Tot by Person
| where Pt!=Tot

You can setup alert using this query when "number of events is greater than 0" (means there is a mismatch in Pt and Tot)

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...